AlienVault Security Essentials Bloghttps://www.alienvault.com/blogs/security-essentials
Practical, how-to advice, tips and guidance.enhello@alienvault.comCopyright 20192019-02-22T14:00:00+00:00https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-22-feb-2019Things I Hearted This Week, 22 Feb 2019https://feeds.feedblitz.com/~/598459408/0/alienvault-security-essentials~Things-I-Hearted-This-Week-Feb
https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-22-feb-2019#When:14:00:00ZWe have two weeks of news to catch up with because I was travelling last week and wasn’t able to submit to the editor in time.

But that just means double the security fun. So let’s just jump right into it.

Helping The Smaller Businesses

Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don't have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.

Security Isn’t Enough. Silicon Valley Needs ‘Abusability’ Testing

It is time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Tech companies need to think not just about protecting their own users but about abusability: the possibility that users could exploit their tech to harm others, or the world.

CISO Spotlight: Security Goals and Objectives for 2019

Rick Holland shares his security goals and objectives for 2019, which has some great insights and tips such as hyperfocusing on process / program improvements, establishing a security and risk playbook, avoiding ‘expense in depth’, eating their own BBQ, and investing in the team.

Court Camera Used to Spy on Juror’s Notebook

Some defense attorneys in San Juan County worry that Sheriff Ron Krebs has a finger on the scales of justice after learning he used a courtroom security camera to surreptitiously zoom in on defense documents and a juror’s notebook during a criminal trial last week.

The incident has drawn outrage from criminal and civil-rights attorneys and frustration from the county prosecutor, and prompted a rare weekend hearing during which a judge dismissed misdemeanor assault and trespass charges against a Lopez Island man after finding the incident amounted to government misconduct that had violated his right to a fair trial.

When You Can’t Do Awesome Things, Because of Crushing Bureaucracy

The term ‘thought leader’ is thrown about with reckless abandon to the extent that it is viewed as a derogatory term. But Haroon Meer is probably among the few who are worthy of the title, and most of his posts give me something new to think about. This one is no different.

NHS Cybersecurity Needs to be a Qualified Success

A freedom of information request which revealed a lack of cyber and information governance training may be something of a red herring. But that doesn’t mean there isn’t valuable work to be done on creating a cyber-qualified NHS IT workforce.

Cards Used at 137 Restaurants Exposed by Point-of-Sale Breach

North Country Business Products point-of-sale and security solutions provider with roughly 6500 customers around the US mdwest has disclosed a data breach which led to the exposure of payment information for clients who used their credit and debit cards at 137 restaurants.

According to the company's data breach notification, North Country first observed that suspicious activity was present on some of its clients' networks on January 4 and a joint investigation with a third-party cybersecurity forensic firm established that the cause was malware deployed on its partner restaurants' networks.

The RSA Shortlist

RSA is just a couple of weeks away - arguably one of the largest business-focused security conferences, and soon the masses shall descend on San Francisco.

There’s usually something for everyone there, but how can you find the talks that are best for you? Well, maybe not the best talks for you, but Thom Langford has listed out some of the sessions he’s most interested in. Maybe it can inspire you to shortlist your own sessions:

]]>
2019-02-22T14:00:00+00:00We have two weeks of news to catch up with because I was travelling last week and wasn’t able to submit to the editor in time.

But that just means double the security fun. So let’s just jump right into it.

Helping The Smaller Businesses

Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don't have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.

Security Isn’t Enough. Silicon Valley Needs ‘Abusability’ Testing

It is time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Tech companies need to think not just about protecting their own users but about abusability: the possibility that users could exploit their tech to harm others, or the world.

CISO Spotlight: Security Goals and Objectives for 2019

Rick Holland shares his security goals and objectives for 2019, which has some great insights and tips such as hyperfocusing on process / program improvements, establishing a security and risk playbook, avoiding ‘expense in depth’, eating their own BBQ, and investing in the team.

Court Camera Used to Spy on Juror’s Notebook

Some defense attorneys in San Juan County worry that Sheriff Ron Krebs has a finger on the scales of justice after learning he used a courtroom security camera to surreptitiously zoom in on defense documents and a juror’s notebook during a criminal trial last week.

The incident has drawn outrage from criminal and civil-rights attorneys and frustration from the county prosecutor, and prompted a rare weekend hearing during which a judge dismissed misdemeanor assault and trespass charges against a Lopez Island man after finding the incident amounted to government misconduct that had violated his right to a fair trial.

When You Can’t Do Awesome Things, Because of Crushing Bureaucracy

The term ‘thought leader’ is thrown about with reckless abandon to the extent that it is viewed as a derogatory term. But Haroon Meer is probably among the few who are worthy of the title, and most of his posts give me something new to think about. This one is no different.

NHS Cybersecurity Needs to be a Qualified Success

A freedom of information request which revealed a lack of cyber and information governance training may be something of a red herring. But that doesn’t mean there isn’t valuable work to be done on creating a cyber-qualified NHS IT workforce.

Cards Used at 137 Restaurants Exposed by Point-of-Sale Breach

North Country Business Products point-of-sale and security solutions provider with roughly 6500 customers around the US mdwest has disclosed a data breach which led to the exposure of payment information for clients who used their credit and debit cards at 137 restaurants.

According to the company's data breach notification, North Country first observed that suspicious activity was present on some of its clients' networks on January 4 and a joint investigation with a third-party cybersecurity forensic firm established that the cause was malware deployed on its partner restaurants' networks.

The RSA Shortlist

RSA is just a couple of weeks away - arguably one of the largest business-focused security conferences, and soon the masses shall descend on San Francisco.

There’s usually something for everyone there, but how can you find the talks that are best for you? Well, maybe not the best talks for you, but Thom Langford has listed out some of the sessions he’s most interested in. Maybe it can inspire you to shortlist your own sessions:

]]>
https://www.alienvault.com/blogs/security-essentials/fileless-malware-detectionFileless Malware Detection: A Crash Coursehttps://feeds.feedblitz.com/~/598270764/0/alienvault-security-essentials~Fileless-Malware-Detection-A-Crash-Course
https://www.alienvault.com/blogs/security-essentials/fileless-malware-detection#When:14:00:00ZGiven you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!

What is Fileless Malware and How Does It Work?

There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:

"A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network."

What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory.

The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.

Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers.

This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks.

We're seeing these attack methods persist because they are effective. Attackers are also looking for ways to infiltrate that don't require some kind of vulnerability exploit, to evade detection.

Trusted Admin Tools Leveraged for Fileless Attacks

Living off the land is the use of trusted admin tools to conduct malicious activity. It's a way to hide in plain sight.

These methods help attackers gain persistence within your environment, elevate privileges, and spread laterally across the network. Commonly, we see these with PowerShell, and WMI. We've also seen some using Visual Basic Scripts and UAC Bypass – where attackers are leveraging trusted tools to perform malicious actions. This is true within Linux and Windows as well.

Example of a Fileless Malware Attack: GZipDe

Here’s an example of an attack and how, at different stages, we see the use of sanctioned applications or different types of a vector that might not register with a file detection tool.

Our AlienVault Labs team wrote about this in a blog post in 2018. The way this attack works is through an email phishing campaign that includes an attachment, such as a normal-looking Word document. Once you open that Word document, there's a malicious macro. Once those macros are enabled, a Visual Basic script executes, which launches a hidden PowerShell task, which then connects to the downloads and runs Metasploit in memory. You see a mix of file and fileless attack throughout the process.

At first glance, it looks like a traditional attack. Everyone is familiar with phishing campaigns. Then, as you go through the processes, it runs complete programs or attacks in memory - not writing it to a disk so that an anti-virus can’t see it.

It also makes this non-persistent. If an attacker is trying to evade audit and capture at a later point, fileless attacks are great.

Have a Suspect Machine?

One of the first steps you’ll do to investigate and audit a suspect machine is isolate it and turn it off. Since everything runs in memory in these types of attacks, as soon as you turn a suspect machine off, all evidence of the attack will be gone.

There are ways to keep these attacks persistent. You can write cron jobs or tasks to a system from a PowerShell script to attain persistence. However, generally, fileless malware attacks are gone once you reboot the computer.

Fileless Malware Detection

AlienVault® Open Threat Exchange® (OTX™) is a community of security researchers and practitioners. Individuals contribute information to the community after seeing attacks unfold in their environments, just to help others in the community keep up to date. It’s a great resource for anyone who wants to get an understanding of what’s happening in the wild.

I searched OTX™ for a few examples of fileless campaigns that we saw in 2018. This is from a quick search of “fileless”.

A perfect example of a fileless campaign is GhostMiner cryptomining. It was first recognized a few hundred days ago in our community. It started out as something you would download to your hard drive. It has morphed over time to using an executable PowerShell evasion framework so that they can execute the program within memory rather than downloading it to your drive. It installs cryptomining software, but in a new way.

What does it take to detect and defend and begin to protect yourself against these attacks? They are designed to evade file and signature-based protection tools - traditional anti-virus types of tools. What you need is better visibility on the host and on the endpoint.

Some of the ways to detect them include things like looking for processes executing shell commands or suspicious commands executed by listening processes like ElasticSearch. We might see excessive network communications from processes that are somewhat abnormal or anomalous, as well as limited persistence and privilege escalation. We might also see attackers trying to cover their tracks by deleting their bash history or installing malicious Chrome browser extensions. All of these can be indicators that there is some type of fileless malware attack occurring in your environment. You’re going to need to spot anomalous behavior rather than a specific Indicator of Compromise (IoC).

To summarize:

Conclusion

The growing trend of fileless malware attacks will definitely make your life as a defender more challenging. There are free tools, like OTX, to help you keep up, and other offerings, like USM Anywhere to help quickly detect fileless attacks to prevent damage, even when there aren’t yet signatures or IoCs identified for the morphed version of fileless malware.

If you’re curious to explore further, check out the Fileless Attacks webcast by Danielle Russell and Aaron Genereaux where they walk you through actual detection examples.

]]>
2019-02-21T14:00:00+00:00Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!

What is Fileless Malware and How Does It Work?

There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:

"A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network."

What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory.

The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.

Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers.

This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks.

We're seeing these attack methods persist because they are effective. Attackers are also looking for ways to infiltrate that don't require some kind of vulnerability exploit, to evade detection.

Trusted Admin Tools Leveraged for Fileless Attacks

Living off the land is the use of trusted admin tools to conduct malicious activity. It's a way to hide in plain sight.

These methods help attackers gain persistence within your environment, elevate privileges, and spread laterally across the network. Commonly, we see these with PowerShell, and WMI. We've also seen some using Visual Basic Scripts and UAC Bypass – where attackers are leveraging trusted tools to perform malicious actions. This is true within Linux and Windows as well.

Example of a Fileless Malware Attack: GZipDe

Here’s an example of an attack and how, at different stages, we see the use of sanctioned applications or different types of a vector that might not register with a file detection tool.

Our AlienVault Labs team wrote about this in a blog post in 2018. The way this attack works is through an email phishing campaign that includes an attachment, such as a normal-looking Word document. Once you open that Word document, there's a malicious macro. Once those macros are enabled, a Visual Basic script executes, which launches a hidden PowerShell task, which then connects to the downloads and runs Metasploit in memory. You see a mix of file and fileless attack throughout the process.

At first glance, it looks like a traditional attack. Everyone is familiar with phishing campaigns. Then, as you go through the processes, it runs complete programs or attacks in memory - not writing it to a disk so that an anti-virus can’t see it.

It also makes this non-persistent. If an attacker is trying to evade audit and capture at a later point, fileless attacks are great.

Have a Suspect Machine?

One of the first steps you’ll do to investigate and audit a suspect machine is isolate it and turn it off. Since everything runs in memory in these types of attacks, as soon as you turn a suspect machine off, all evidence of the attack will be gone.

There are ways to keep these attacks persistent. You can write cron jobs or tasks to a system from a PowerShell script to attain persistence. However, generally, fileless malware attacks are gone once you reboot the computer.

Fileless Malware Detection

AlienVault® Open Threat Exchange® (OTX™) is a community of security researchers and practitioners. Individuals contribute information to the community after seeing attacks unfold in their environments, just to help others in the community keep up to date. It’s a great resource for anyone who wants to get an understanding of what’s happening in the wild.

I searched OTX™ for a few examples of fileless campaigns that we saw in 2018. This is from a quick search of “fileless”.

A perfect example of a fileless campaign is GhostMiner cryptomining. It was first recognized a few hundred days ago in our community. It started out as something you would download to your hard drive. It has morphed over time to using an executable PowerShell evasion framework so that they can execute the program within memory rather than downloading it to your drive. It installs cryptomining software, but in a new way.

What does it take to detect and defend and begin to protect yourself against these attacks? They are designed to evade file and signature-based protection tools - traditional anti-virus types of tools. What you need is better visibility on the host and on the endpoint.

Some of the ways to detect them include things like looking for processes executing shell commands or suspicious commands executed by listening processes like ElasticSearch. We might see excessive network communications from processes that are somewhat abnormal or anomalous, as well as limited persistence and privilege escalation. We might also see attackers trying to cover their tracks by deleting their bash history or installing malicious Chrome browser extensions. All of these can be indicators that there is some type of fileless malware attack occurring in your environment. You’re going to need to spot anomalous behavior rather than a specific Indicator of Compromise (IoC).

To summarize:

Conclusion

The growing trend of fileless malware attacks will definitely make your life as a defender more challenging. There are free tools, like OTX, to help you keep up, and other offerings, like USM Anywhere to help quickly detect fileless attacks to prevent damage, even when there aren’t yet signatures or IoCs identified for the morphed version of fileless malware.

If you’re curious to explore further, check out the Fileless Attacks webcast by Danielle Russell and Aaron Genereaux where they walk you through actual detection examples.

]]>
https://www.alienvault.com/blogs/security-essentials/securing-peopleSecuring Peoplehttps://feeds.feedblitz.com/~/598069882/0/alienvault-security-essentials~Securing-People
https://www.alienvault.com/blogs/security-essentials/securing-people#When:14:00:00ZCybersecurity has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour.

While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated.

And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses.

If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas.

Three of the most commonly spotted areas are as follows:

Employees

Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time.

Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company.

At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data.

Customers

Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers.

Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed.

But phishing isn’t the only attack avenue against customers. Credential stuffing has also risen in popularity. This is where scammers take the passwords of users that have been disclosed in breaches, and use those credentials against other systems in the hope that users have reused passwords across different services.

Third Parties

Another avenue attackers target are third parties. This could be any company in the supply chain, or with whom the target has a business relationship with. The infamous Target breach of 2013 was conducted after attackers broke in via a HVAC company.

In a more recent incident, LocalBitcoins was targeted by attackers who were able to compromise the sites forums and redirect users to a phishing site from where they captured users credentials.

Recommendations

Cyber security is perhaps the most challenging game of whack-a-mole in existence. Where we plug one hole, the attackers move to another, easier to exploit hole. With this, we should look to continually move forward and proactively try and stop attackers new tactics becoming full-fledged epidemics.

To do so, enterprises need to have a consistent approach to not just user awareness, but also increase awareness for their customers, and 3rd party partners.

The most important things to consider would be:

Password reuse

Raise awareness of the dangers and risks associated with password reuse. Also provide tools or methods to help eliminate password reuse such as the use of password managers.

Clicking on links & opening attachments

While users within enterprises are getting some training on the dangers of clicking links or opening email attachments, this should extend to customers too. Establish good practices by avoiding sending links in emails, and asking users to navigate directly to the website to log onto their accounts.

Reporting issues

Finally, and perhaps most importantly is to have a simple and accessible way for both employees and customers to report any suspicious activity. Or indeed, report that they may have fallen victim to a scam by clicking on a link, opening an attachment, or sending sensitive information to a scammer.

]]>
2019-02-20T14:00:00+00:00Cybersecurity has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour.

While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated.

And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses.

If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas.

Three of the most commonly spotted areas are as follows:

Employees

Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time.

Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company.

At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data.

Customers

Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers.

Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed.

But phishing isn’t the only attack avenue against customers. Credential stuffing has also risen in popularity. This is where scammers take the passwords of users that have been disclosed in breaches, and use those credentials against other systems in the hope that users have reused passwords across different services.

Third Parties

Another avenue attackers target are third parties. This could be any company in the supply chain, or with whom the target has a business relationship with. The infamous Target breach of 2013 was conducted after attackers broke in via a HVAC company.

In a more recent incident, LocalBitcoins was targeted by attackers who were able to compromise the sites forums and redirect users to a phishing site from where they captured users credentials.

Recommendations

Cyber security is perhaps the most challenging game of whack-a-mole in existence. Where we plug one hole, the attackers move to another, easier to exploit hole. With this, we should look to continually move forward and proactively try and stop attackers new tactics becoming full-fledged epidemics.

To do so, enterprises need to have a consistent approach to not just user awareness, but also increase awareness for their customers, and 3rd party partners.

The most important things to consider would be:

Password reuse

Raise awareness of the dangers and risks associated with password reuse. Also provide tools or methods to help eliminate password reuse such as the use of password managers.

Clicking on links & opening attachments

While users within enterprises are getting some training on the dangers of clicking links or opening email attachments, this should extend to customers too. Establish good practices by avoiding sending links in emails, and asking users to navigate directly to the website to log onto their accounts.

Reporting issues

Finally, and perhaps most importantly is to have a simple and accessible way for both employees and customers to report any suspicious activity. Or indeed, report that they may have fallen victim to a scam by clicking on a link, opening an attachment, or sending sensitive information to a scammer.

]]>
https://www.alienvault.com/blogs/security-essentials/managed-security-trends-and-usageManaged Security Trends and Usagehttps://feeds.feedblitz.com/~/596579222/0/alienvault-security-essentials~Managed-Security-Trends-and-Usage
https://www.alienvault.com/blogs/security-essentials/managed-security-trends-and-usage#When:14:00:00ZNew infographic! The full report is here.

]]>
2019-02-11T14:00:00+00:00New infographic! The full report is here.

]]>
https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-8th-february-2019Things I Hearted This Week, 8th February 2019https://feeds.feedblitz.com/~/596188406/0/alienvault-security-essentials~Things-I-Hearted-This-Week-th-February
https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-8th-february-2019#When:14:00:00ZWhat a wild week it’s been. There have been assaults on researchers (ok, just one that I know of), there’s a great look into changing company cultures, and RDP has a flaw.

All this and more, in this week’s action-packed edition of things I hearted this week.

Assaulting Researchers

The short version is that researchers found a significant vulnerability in a vendor's Casino app, they reported it, and for their troubles, were assaulted by the COO.

Probably not the bounty any researcher wants in return for trying to do the right thing.

It reads out as a mixture between a good novel, and something you’d imagine playing out on Jerry Springer. There’s not enough popcorn for this.

The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error.

WhatsApp 'Deleting 2m Accounts a Month' to Stop Fake News

WhatsApp says it is deleting 2m accounts per month as part of an effort to blunt the use of the world’s most popular messaging app to spread fake news and misinformation. The Facebook-owned service published the data as part of a white paper on “stopping abuse” that was launched on Wednesday in India, the biggest market for the company with more than 200m users.

The Nightmare on Service Desk Street

Many “ITIL aligned” service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible.

A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them.

In a blog post, Check Point Software Technologies researcher Eyal Itkin refers to this scenario as a reverse RDP attack because the RDP servers installed on the compromised machines essentially reverse the normal direction of RDP communication in order to control and execute code on the client device.

Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed

Google has rolled out two new tools to help the password-challenged beef up their security game. The first is a Chrome extension called Password Checkup that can identify if you’re using a password that’s been exposed in a third-party data breach. The second is a feature called Cross Account Protection, which helps protect apps you’ve signed into with your Google account.

The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error.

WhatsApp 'Deleting 2m Accounts a Month' to Stop Fake News

WhatsApp says it is deleting 2m accounts per month as part of an effort to blunt the use of the world’s most popular messaging app to spread fake news and misinformation. The Facebook-owned service published the data as part of a white paper on “stopping abuse” that was launched on Wednesday in India, the biggest market for the company with more than 200m users.

The Nightmare on Service Desk Street

Many “ITIL aligned” service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible.

A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them.

In a blog post, Check Point Software Technologies researcher Eyal Itkin refers to this scenario as a reverse RDP attack because the RDP servers installed on the compromised machines essentially reverse the normal direction of RDP communication in order to control and execute code on the client device.

Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed

Google has rolled out two new tools to help the password-challenged beef up their security game. The first is a Chrome extension called Password Checkup that can identify if you’re using a password that’s been exposed in a third-party data breach. The second is a feature called Cross Account Protection, which helps protect apps you’ve signed into with your Google account.

Other Stories I Hearted This Week

]]>
https://www.alienvault.com/blogs/security-essentials/security-have-and-have-notsSecurity Have and Have-Notshttps://feeds.feedblitz.com/~/595855823/0/alienvault-security-essentials~Security-Have-and-HaveNots
https://www.alienvault.com/blogs/security-essentials/security-have-and-have-nots#When:14:00:00ZSecurity Have and Have-Nots

Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security.

Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it?

I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.”

It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line.

Technical Debt

The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.

Exponential Losses

One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate.

Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face.

Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management.

How Much Information Security is Enough?

With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target.

But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently.

One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name.

The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules.

If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes Infosec.

Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game.

Continuing The Game

Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points.

1. People

Having the right people can be the difference between making it or not. It doesn’t necessarily mean hiring an entire security department. Sometimes, all it needs is a consultant to help provide guidance and steer towards best security practices to ensure security is built right from the beginning.

2. Technology

IT security technologies have come a long way in the last decade. While the constant news cycle may feel like things are getting worse, we actually see more attacks that focus on attacking humans through phishing, or compromises through third parties.

Therefore, it makes sense to invest broadly in technologies that offer a broader set of capabilities. These can be more affordable, not just to buy, but to maintain on an ongoing basis.

3. Outsourcing

In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. Securing the services of a reputable MSSP can take away the need to run your own security operation centre. Or having a PR agency on a retainer can help smooth over any incidents that need reporting.

4. Insurance

Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can a long way in demonstrating to customers, shareholders, or partners that insurance was part of a broad cyber security plan to keep data secure.

]]>
2019-02-06T14:00:00+00:00Security Have and Have-Nots

Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security.

Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it?

I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.”

It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line.

Technical Debt

The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.

Exponential Losses

One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate.

Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face.

Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management.

How Much Information Security is Enough?

With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target.

But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently.

One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name.

The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules.

If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes Infosec.

Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game.

Continuing The Game

Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points.

1. People

Having the right people can be the difference between making it or not. It doesn’t necessarily mean hiring an entire security department. Sometimes, all it needs is a consultant to help provide guidance and steer towards best security practices to ensure security is built right from the beginning.

2. Technology

IT security technologies have come a long way in the last decade. While the constant news cycle may feel like things are getting worse, we actually see more attacks that focus on attacking humans through phishing, or compromises through third parties.

Therefore, it makes sense to invest broadly in technologies that offer a broader set of capabilities. These can be more affordable, not just to buy, but to maintain on an ongoing basis.

3. Outsourcing

In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. Securing the services of a reputable MSSP can take away the need to run your own security operation centre. Or having a PR agency on a retainer can help smooth over any incidents that need reporting.

4. Insurance

Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can a long way in demonstrating to customers, shareholders, or partners that insurance was part of a broad cyber security plan to keep data secure.

Online trading is on the rise as many consumers take control of their own investments or work with brokers virtually rather than in person or over the phone. At the same time, cybersecurity attacks are on the rise as hackers also try to take advantage of gaps in the system, stealing identities and even money.

How do you keep yourself safe when trading online? Here are six simple tips:

Check the Doors and Windows

Before trading online, know that the most important thing is awareness. Be aware of what risks you run by trading online and what might happen. In your home, you check doors and windows before going to bed because you know they are potential entry points; you need to understand the same thing about online trading.

How do you recognize a threat and combat it or prevent it in the first place? One of the keys is good security software and setting up automatic alerts. Of course, once you receive an alert, you need to know what actions to take, and software can help with that as well. Secure your online trading accounts and all of the data associated with them by securing any potential entry points. As well, it’s never a bad idea to regularly back-up your data either through physical offsite or cloud-based storage. Should the integrity of your systems be compromised due to a breach, you’ll still have access to your data.

None Shall Pass

For a moment, let’s talk passwords, one of the entry points mentioned above. Truth is, as much as we talk about passwords, the list of the top awful ones every year is astounding, including things like your birthday, 123456, and even the word “password” used as a password.

There is no reason for this in an age of password vaults and generators that not only help you set your password, but remembers them for you as well and can even remind you to change them. Consider using such a password management system, and guard your passwords carefully. All of the fancy firewalls and protection in the world do no good if your password is easy to guess.

Think Twice

Do you know what two-factor authentication is and how to use it? Most apps, even those for social media, offer this now, and bank and trading apps are no exception. When you log in from a new device, you will need not only your password, but you will need to have access to a device you own.

This can be everything from your tablet, your phone, your smartwatch, or at the minimum access to your primary email. A code will be sent to that device or email that you must enter in order to access your account. This is a great second layer of security — one that is free.

That way, even with your password, a hacker cannot breach your account.

Don’t Let Them In

What happened in the quite public cyberattacks on Home Depot and Target? Both retailers had the same problem, in that they had granted access to their systems to vendors and did not shut off that access when the vendor was done working.

This is a common insider threat. The key is that you do not give access to your trading account to any app or person who does not need it. If you do give someone, like your accountant, access at tax time, or even programs like TurboTax or H&R Block, change the password and remove their access once they no longer need it.

Just as you control your own password, you need to control the password and access of others who can control your account. Also, in many cases, you can set up roles and determine what exactly that person can do with your trading accounts. Understand this, and limit actions to ones they actually need.

What’s in Your Wallet?

More common than ever before, trading in cryptocurrency is on the rise. However, there is an issue that is often not addressed. While the blockchain is very secure and easily encrypted, often the weak point for traders is their virtual wallet. Much like cash, when cryptocurrency is stolen, it is hard to track down and get returned.

What do you do? First, make sure that you are using a well-known and reliable wallet. There have been scams where hackers offer wallets with supposed benefits only to empty depositors’ wallets and disappear.

Keep Currency

Do you trade in other currency? Forex trading is another place where security is vital, and much of this depends on the broker you choose. The truth is, no one forex broker is right for everyone. You need to carefully evaluate them based on your needs and the security they provide.

Things like speed, comfort with the forex platform, spreads, and commissions are also important to understand. Forex trades are much like cryptocurrency trades: Security is paramount, and the right hacker given the right opportunity can drain your accounts and really ruin your day.

Trading online is becoming more popular, but as it does, hackers are becoming more determined. Take steps to secure your trading accounts and follow up with new security updates to keep your money safe online.

Online trading is on the rise as many consumers take control of their own investments or work with brokers virtually rather than in person or over the phone. At the same time, cybersecurity attacks are on the rise as hackers also try to take advantage of gaps in the system, stealing identities and even money.

How do you keep yourself safe when trading online? Here are six simple tips:

Check the Doors and Windows

Before trading online, know that the most important thing is awareness. Be aware of what risks you run by trading online and what might happen. In your home, you check doors and windows before going to bed because you know they are potential entry points; you need to understand the same thing about online trading.

How do you recognize a threat and combat it or prevent it in the first place? One of the keys is good security software and setting up automatic alerts. Of course, once you receive an alert, you need to know what actions to take, and software can help with that as well. Secure your online trading accounts and all of the data associated with them by securing any potential entry points. As well, it’s never a bad idea to regularly back-up your data either through physical offsite or cloud-based storage. Should the integrity of your systems be compromised due to a breach, you’ll still have access to your data.

None Shall Pass

For a moment, let’s talk passwords, one of the entry points mentioned above. Truth is, as much as we talk about passwords, the list of the top awful ones every year is astounding, including things like your birthday, 123456, and even the word “password” used as a password.

There is no reason for this in an age of password vaults and generators that not only help you set your password, but remembers them for you as well and can even remind you to change them. Consider using such a password management system, and guard your passwords carefully. All of the fancy firewalls and protection in the world do no good if your password is easy to guess.

Think Twice

Do you know what two-factor authentication is and how to use it? Most apps, even those for social media, offer this now, and bank and trading apps are no exception. When you log in from a new device, you will need not only your password, but you will need to have access to a device you own.

This can be everything from your tablet, your phone, your smartwatch, or at the minimum access to your primary email. A code will be sent to that device or email that you must enter in order to access your account. This is a great second layer of security — one that is free.

That way, even with your password, a hacker cannot breach your account.

Don’t Let Them In

What happened in the quite public cyberattacks on Home Depot and Target? Both retailers had the same problem, in that they had granted access to their systems to vendors and did not shut off that access when the vendor was done working.

This is a common insider threat. The key is that you do not give access to your trading account to any app or person who does not need it. If you do give someone, like your accountant, access at tax time, or even programs like TurboTax or H&R Block, change the password and remove their access once they no longer need it.

Just as you control your own password, you need to control the password and access of others who can control your account. Also, in many cases, you can set up roles and determine what exactly that person can do with your trading accounts. Understand this, and limit actions to ones they actually need.

What’s in Your Wallet?

More common than ever before, trading in cryptocurrency is on the rise. However, there is an issue that is often not addressed. While the blockchain is very secure and easily encrypted, often the weak point for traders is their virtual wallet. Much like cash, when cryptocurrency is stolen, it is hard to track down and get returned.

What do you do? First, make sure that you are using a well-known and reliable wallet. There have been scams where hackers offer wallets with supposed benefits only to empty depositors’ wallets and disappear.

Keep Currency

Do you trade in other currency? Forex trading is another place where security is vital, and much of this depends on the broker you choose. The truth is, no one forex broker is right for everyone. You need to carefully evaluate them based on your needs and the security they provide.

Things like speed, comfort with the forex platform, spreads, and commissions are also important to understand. Forex trades are much like cryptocurrency trades: Security is paramount, and the right hacker given the right opportunity can drain your accounts and really ruin your day.

Trading online is becoming more popular, but as it does, hackers are becoming more determined. Take steps to secure your trading accounts and follow up with new security updates to keep your money safe online.

]]>
https://www.alienvault.com/blogs/security-essentials/siem-what-is-it-and-why-does-your-business-need-itSIEM: What Is It, and Why Does Your Business Need It?https://feeds.feedblitz.com/~/595547956/0/alienvault-security-essentials~SIEM-What-Is-It-and-Why-Does-Your-Business-Need-It
https://www.alienvault.com/blogs/security-essentials/siem-what-is-it-and-why-does-your-business-need-it#When:14:00:00Z

Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits.

What Is SIEM?

SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data.

How Does SIEM Work?

IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats.

Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations.

SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals.

Is SIEM Right for My Business?

SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more.

How Can I Select the Right SIEM Tool for My Business?

The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities:

Compliance reporting

Database and server access monitoring

Incident response and forensics

Internal and external threat identification

Intrusion detection and prevention system, firewall, event application log and other application and system integrations

Lastly, as you search for the right SIEM tool for your business, it often helps to partner with a proven SIEM technology provider. If you have the right SIEM technology provider at your side, your business can seamlessly integrate an SIEM tool into its day-to-day operations. As a result, your IT team can use SIEM technology to streamline its security management.

]]>
2019-02-04T14:00:00+00:00

Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits.

What Is SIEM?

SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data.

How Does SIEM Work?

IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats.

Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations.

SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals.

Is SIEM Right for My Business?

SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more.

How Can I Select the Right SIEM Tool for My Business?

The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities:

Compliance reporting

Database and server access monitoring

Incident response and forensics

Internal and external threat identification

Intrusion detection and prevention system, firewall, event application log and other application and system integrations

Lastly, as you search for the right SIEM tool for your business, it often helps to partner with a proven SIEM technology provider. If you have the right SIEM technology provider at your side, your business can seamlessly integrate an SIEM tool into its day-to-day operations. As a result, your IT team can use SIEM technology to streamline its security management.

]]>
https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-1st-feb-2019Things I Hearted This Week, 1st Feb 2019https://feeds.feedblitz.com/~/595125804/0/alienvault-security-essentials~Things-I-Hearted-This-Week-st-Feb
https://www.alienvault.com/blogs/security-essentials/things-i-hearted-this-week-1st-feb-2019#When:14:00:00ZHello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.

Enough reminiscing - let’s get down to it.

The Big Five

There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.

But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.

Considerations for When Your Apartment Goes “Smart”

Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).

Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.

While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games.

I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out.

South Korean Delivery Apps Accidentally Leaks 26M Documents

The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users.

The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information.

A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers.

Judge Rejects Yahoo’s Data Breach Settlement Proposal

Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents.

In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history.

Other Things I Hearted This Week

]]>
2019-02-01T14:00:00+00:00Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.

Enough reminiscing - let’s get down to it.

The Big Five

There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.

But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.

Considerations for When Your Apartment Goes “Smart”

Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).

Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.

While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games.

I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out.

South Korean Delivery Apps Accidentally Leaks 26M Documents

The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users.

The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information.

A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers.

Judge Rejects Yahoo’s Data Breach Settlement Proposal

Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents.

In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history.

Threat Actors That Don’t Discriminate

When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.

Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).

The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.

The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:

The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.

As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.

How Can APT10 Group Impact You?

If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!

Wired Magazine reported the following on APT10 in a December 2018 article:

In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.

What Can You Do About APT10 Group?

For sophisticated, long-standing, and non-discriminating campaigns such as this, the NCCIC suggests there is no single or set of defensive techniques or programs that will completely avert all malicious activities — because new variants are constantly being created. Instead, security pros should be using a defense-in-depth approach (multiple layers of security) to provide a complex barrier to entry and increase the likelihood of detection. Among the key recommendations are the following (which can be easily managed via the AlienVault Unified Security Management (USM) platform).

Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.

AlienVault Labs has identified more than 660 Indicators of Compromise (IOCs) associated with this campaign, which are shared in OTX. You can use USM Anywhere or OSSIM to directly check for these IOCs throughout your attack surface. The Labs team has also released IDS signatures and correlation rule updates to the USM Anywhere Platform so customers can identify suspicious activity that could be related to this campaign.

Threat Actors That Don’t Discriminate

When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.

Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).

The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.

The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:

The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.

As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.

How Can APT10 Group Impact You?

If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!

Wired Magazine reported the following on APT10 in a December 2018 article:

In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.

What Can You Do About APT10 Group?

For sophisticated, long-standing, and non-discriminating campaigns such as this, the NCCIC suggests there is no single or set of defensive techniques or programs that will completely avert all malicious activities — because new variants are constantly being created. Instead, security pros should be using a defense-in-depth approach (multiple layers of security) to provide a complex barrier to entry and increase the likelihood of detection. Among the key recommendations are the following (which can be easily managed via the AlienVault Unified Security Management (USM) platform).

Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.

AlienVault Labs has identified more than 660 Indicators of Compromise (IOCs) associated with this campaign, which are shared in OTX. You can use USM Anywhere or OSSIM to directly check for these IOCs throughout your attack surface. The Labs team has also released IDS signatures and correlation rule updates to the USM Anywhere Platform so customers can identify suspicious activity that could be related to this campaign.